US8510446B1ActiveUtility

Dynamically populating an identity-correlation data store

84
Assignee: PAI MANISHPriority: Mar 15, 2011Filed: Mar 15, 2011Granted: Aug 13, 2013
Est. expiryMar 15, 2031(~4.7 yrs left)· nominal 20-yr term from priority
Inventors:Manish Pai
G06F 21/55H04L 43/04
84
PatentIndex Score
10
Cited by
7
References
16
Claims

Abstract

A method and apparatus for dynamically populating an identity-correlation data store and using the identity-correlation data store to correlate external identifiers and unique internal identifiers are described.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method, implemented by a server computing system programmed to perform the following, comprising:
 receiving, at the server computing system from one or more data loss prevention (DLP) agents hosted by one or more client computing systems, a plurality of external identifiers captured by the one or more agents while monitoring outbound activities performed by the one or more client computing systems; 
 mapping each of the plurality of external identifiers to a corresponding one of a plurality of unique internal identifiers in an identity-correlation data store of the server computing system, wherein the plurality of unique internal identifiers are assigned to a plurality of users by an entity, and wherein the plurality of external identifiers are not assigned by the entity; 
 subsequently receiving an incident record of a violation of a DLP policy from one of the DLP agents, the incident record comprising one of the plurality of external identifiers; 
 identifying a corresponding one of the plurality of unique internal identifiers correlated to the one external identifier in the incident record using the identity-correlation data store to identify one of the plurality of users associated with the one external identifier; and 
 updating the incident record to include the identified unique internal identifier. 
 
     
     
       2. The method of  claim 1 , wherein said identifying comprises performing a look-up operation in the identity-correlation data store using the external identifier in the incident report to identify the one of the plurality of users. 
     
     
       3. The method of  claim 1 , further comprising:
 receiving, at the server computing system, one of the plurality of unique internal identifiers from one of the client computing systems, wherein the one unique internal identifier is captured by the agent hosted by the one client computing system when one of the plurality of users logs into the one client computing systems or a service provided by an entity; and 
 creating an entry in the identity-correlation data store when there are no entries containing the captured unique internal identifier. 
 
     
     
       4. The method of  claim 1 , wherein said receiving the plurality of external identifiers comprises:
 receiving an intercepted login packet to an external request, captured by the one or more agents while monitoring outbound activities performed by the one or more client computing systems; and 
 extracting the external identifier from the intercepted login packet. 
 
     
     
       5. A system, comprising:
 a server computing system, comprising:
 a memory; and 
 a processor coupled with the memory, wherein the processor is configured to execute a data loss prevention (DLP) system communicatively coupled to one or more DLP agents, wherein the DLP system is to: 
 receive from one or more DLP agents hosted by one or more client computing systems a plurality of external identifiers captured by the one or more agents while monitoring outbound activities performed by the one or more client computing systems; 
 map each of the plurality of external identifiers to a corresponding one of a plurality of unique internal identifiers in an identity-correlation data store, wherein the plurality of unique internal identifiers are assigned to a plurality of users by an entity, and wherein the plurality of external identifiers are not assigned by the entity; 
 subsequently receive an incident record of a violation of a DLP policy from one of the DLP agents, the incident record comprising one of the plurality of external identifiers; 
 identify a corresponding one of the plurality of unique internal identifiers correlated to the one external identifier in the incident record using the identity-correlation data store to identify one of the plurality of users associated with the one external identifier; and 
 update the incident record to include the identified unique internal identifier. 
 
 
     
     
       6. The system of  claim 5 , further comprising a client computing system, communicatively coupled to the server computing system, the client computing system comprising:
 a second memory; and 
 a second processor coupled to the memory to
 monitor outbound activities performed by the client computing system, and 
 capture an external identifier from each of the outbound activities and to send the captured external identifiers to the server computing system having the identity-correlation data store. 
 
 
     
     
       7. The system of  claim 6 , wherein the second processor is to
 detect a violation of a DLP policy, 
 create an incident record of the violation of the DLP policy, the incident record comprising one of the external identifiers being used by a particular user when the violation occurred, and 
 send the incident report to the DLP system. 
 
     
     
       8. The system of  claim 6 , wherein the second processor is configured to monitor at least one of outbound network traffic, outbound data transfer, or printing activities. 
     
     
       9. The system of  claim 6 , wherein the second processor is configured to:
 a packet interceptor to capture a login packet sent by an application to an external service hosted by an application server; 
 a packet data parser to receive the captured login packet from the packet interceptor and to extract the external identifier from the captured login packet; and 
 a transmitter to send the extracted external identifier to the server computing system having the identity-correlation data store. 
 
     
     
       10. The system of  claim 9 , wherein the second processor is configured to capture the external identifiers by decoding the login packet when encoded. 
     
     
       11. The system of  claim 6 , wherein the second processor is configured to capture one of the unique internal identifiers when one of the users of the client computing system logs into the client computing system or a service provided by the entity, and
 send the captured unique internal identifier to the server computing system having the identity-correlation data store. 
 
     
     
       12. The system of  claim 11 , wherein the first processor is configured to create an entry in the identity-correlation data store when there are no entries containing the captured unique internal identifier. 
     
     
       13. A non-transitory computer readable storage medium storing instructions that when executed by a server computing system cause the server computing system to perform operations comprising:
 receiving, at the server computing system from one or more data loss prevention (DLP) agents hosted by one or more client computing systems, a plurality of external identifiers captured by the one or more agents while monitoring outbound activities performed by the one or more client computing systems; 
 mapping each of the plurality of external identifiers to a corresponding one of a plurality of unique internal identifiers in an identity-correlation data store of the server computing system, wherein the plurality of unique internal identifiers are assigned to a plurality of users by an entity, and wherein the plurality of external identifiers are not assigned by the entity; 
 subsequently receiving an incident record of a violation of a DLP policy from one of the DLP agents, the incident record comprising one of the plurality of external identifiers; 
 identifying a corresponding one of the plurality of unique internal identifiers correlated to the one external identifier in the incident record using the identity-correlation data store to identify one of the plurality of users associated with the one external identifier; and 
 updating the incident record to include the identified unique internal identifier. 
 
     
     
       14. The non-transitory computer readable storage medium of  claim 13 , wherein said identifying comprises performing a look-up operation in the identity-correlation data store using the external identifier in the incident report to identify the one of the plurality of users. 
     
     
       15. The non-transitory computer readable storage medium of  claim 13 , wherein the operations further comprise:
 receiving, at the server computing system, one of the plurality of unique internal identifiers from one of the client computing systems, wherein the one unique internal identifier is captured by the agent hosted by the one client computing system when one of the plurality of users logs into the one client computing systems or a service provided by an entity; and 
 creating an entry in the identity-correlation data store when there are no entries containing the captured unique internal identifier. 
 
     
     
       16. The non-transitory computer readable storage medium of  claim 13 , wherein said receiving the plurality of external identifiers comprises:
 receiving an intercepted login packet to an external request, captured by the one or more agents while monitoring outbound activities performed by the one or more client computing systems; and 
 extracting the external identifier from the intercepted login packet.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.